我给你简单描述一下网络结构以及我想要做什么以及为什么!不幸的是,我的 ISP(意大利顶级 ISP 之一)提供 IPv6,但仅用于导航,如果您尝试通过 IPv6 访问服务(IP 摄像头、远程桌面或其他服务),则无法访问,因为 ISP 路由器会阻止流量。我无法更改 ISP 的路由器,因为我拥有 FTTH 技术,而 ISP 不会发布光纤到以太网转换器的技术细节。因此,我尝试使用您在图像中看到的解决方案,使用 ISP 的 IPv6/IPv4 进行导航,并使用 Hurricane Electric 隧道从外部进行访问。
我在实现目标时遇到的唯一问题是,只有在我执行跟踪路由之后,NAS 才开始与外界通信,之后直到我保持连接处于活动状态,一切正常;过了一会儿,HE 隧道中没有通信,连接似乎再次断开并且无法通信,再次跟踪路由后就正常了!
我真的不知道是什么原因导致了这个问题,这对我来说真的很奇怪:(
OpenWRT 网络配置的更多配置细节:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '172.xx.x.x'
option netmask '255.255.255.0'
option ip6addr '2001:b07:x:x:x:3/64' | ISP IPv6
option ip6gw '2001:b07:x:x:x:2'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'static'
option ip6addr '2001:b07:x:x:x:2/126'
option ip6gw '2001:b07:x:x:x:1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 5t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0 5t 6'
config interface 'WAN6HE'
option proto '6in4'
option peeraddr '216.66.80.98'
option ip6addr '2001:470:x:x:x:2/64'
option tunnelid 'idoftunnel'
option username 'heusername'
option password '!IdVjKBYouSSADMEe!'
option ip6prefix '2001:470:x:x:x/48'
config interface 'LAN6HE'
option proto 'static'
option type 'bridge'
option stp '1'
option igmp_snooping '1'
option ifname 'eth0.3'
option ip6assign '64'
option ip6hint '2001:470:x:x:x:'
OpenWRT 防火墙配置(规则和区域):
config rule #Test rule will delete
option target 'ACCEPT'
option family 'ipv6'
option proto 'all'
option name 'Permit all traffic from LAN to LAN6HE'
option src 'lan'
option dest 'LAN6HE'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'WAN6HE'
option name 'Allow-DHCPv6-HE'
option family 'ipv6'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'WAN6HE'
option name 'Allow-MLD-HE'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option proto 'icmp'
option src_ip 'fe80::/10'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input-HE'
option src 'WAN6HE'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward-HE'
option src 'WAN6HE'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option dest '*'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option name 'Allow IPSec-ESP on HE'
option proto 'esp'
option src 'WAN6HE'
option dest 'LAN6HE'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option name 'Allow-ISAKMP on HE'
option family 'ipv6'
option proto 'udp'
option src 'WAN6HE'
option dest 'LAN6HE'
option dest_port '500'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'LAN6HE'
option network 'LAN6HE'
option forward 'REJECT'
config zone
option output 'ACCEPT'
option name 'WAN6HE'
option input 'REJECT'
option network 'WAN6HE'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option family 'ipv6'
config forwarding
option dest 'WAN6HE'
option src 'LAN6HE'
LAN 和 LAN6HE 接口的 DHCP 服务器配置:
...
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra_management '1'
option ra 'server'
option ra_default '1'
option ndp 'relay'
list domain 'vmhome.ml'
...
config dhcp 'wan6'
option interface 'wan6'
option ignore '1'
option dhcpv6 'relay'
option ra 'relay'
option ndp 'relay'
...
config dhcp 'LAN6HE'
option interface 'LAN6HE'
list domain 'vmhome.ml'
option ignore '1'
option ra 'server'
option ndp 'hybrid'
option ra_default '1'
...
NAS 网络配置:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
iface lo inet6 loopback
# The primary network interface
auto enp4s0
allow-hotplug enp4s0
iface enp4s0 inet dhcp
# This is an dhcp configured IPv6 interface
iface enp4s0 inet6 dhcp
# The secondary newtwork interface IPv6 only config
auto enp5s0
iface enp5s0 inet6 static
address 2001:470:x:x:x:x
netmask 64
网络中所有其他计算机都配置了 dhcp 并且没有问题。
OpenWRT的路由表IPv6:
ip -6 route
default from 2001:470:x:x:x:x/64 dev 6in4-WAN6HE metric 1024
default from 2001:470:x:x:x/48 dev 6in4-WAN6HE metric 1024
2001:470:x:x:x:x/64 dev 6in4-WAN6HE metric 256
2001:470:x:x:x:x/64 dev br-LAN6HE metric 1024
unreachable 2001:470:x:x:x/48 dev lo metric 2147483647 error -113
2001:b07:x:x:x:x/126 dev eth1.2 metric 256
2001:b07:x:x:x:147 dev br-lan metric 1024
2001:b07:x:x::34f dev br-lan metric 1024
2001:b07:x:x::ad9 dev br-lan metric 1024
2001:b07:x:x::c51 dev br-lan metric 1024
2001:b07:x:x::e8b dev br-lan metric 1024
2001:b07:x:x:x:x:x:8807 dev br-lan metric 1024
2001:b07:x:x:x:x:x:aa0 dev br-lan metric 1024
2001:b07:x:x:x:x:x:97f3 dev br-lan metric 1024
2001:b07:x:x:x:x:X:be1d dev br-lan metric 1024
2001:b07:x:X:x:X:x:227e dev br-lan metric 1024
2001:b07:x:x:x:x:x:e061 dev br-lan metric 1024
2001:b07:x:x:x:x:x:b53d dev br-lan metric 1024
2001:b07:X:x::/64 dev br-lan metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth1.2 metric 256
fe80::/64 dev eth0 metric 256
fe80::/64 dev eth1 metric 256
fe80::/64 dev 6in4-WAN6HE metric 256
fe80::/64 dev br-LAN6HE metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev wlan0 metric 256
default via 2001:b07:5d2b:f916::1 dev eth1.2 metric 1024
anycast 2001:470:x:x:x:x dev 6in4-WAN6HE metric 0
anycast 2001:470:x:x:x:x dev br-LAN6HE metric 0
anycast 2001:b07:x:x:x:x dev br-lan metric 0
anycast 2001:b07:X:x:x:x dev eth1.2 metric 0
anycast fe80:: dev 6in4-WAN6HE metric 0
anycast fe80:: dev eth1.2 metric 0
anycast fe80:: dev eth1 metric 0
anycast fe80:: dev br-lan metric 0
anycast fe80:: dev eth0 metric 0
anycast fe80:: dev br-LAN6HE metric 0
anycast fe80:: dev wlan1 metric 0
anycast fe80:: dev wlan0 metric 0
ff00::/8 dev br-lan metric 256
ff00::/8 dev eth1.2 metric 256
ff00::/8 dev eth0 metric 256
ff00::/8 dev eth1 metric 256
ff00::/8 dev 6in4-WAN6HE metric 256
ff00::/8 dev br-LAN6HE metric 256
ff00::/8 dev wlan1 metric 256
ff00::/8 dev wlan0 metric 256
NAS的路由表IPv6:
sudo ip -6 route
2001:470:x:x:x:x/64 dev enp5s0 proto kernel metric 256 pref medium
2001:b07:x:x:x:147 dev enp4s0 proto kernel metric 256 pref medium
2001:b07:x:X:x:x/64 dev enp4s0 proto kernel metric 256 pref medium
fe80::/64 dev enp4s0 proto kernel metric 256 pref medium
fe80::/64 dev enp5s0 proto kernel metric 256 pref medium
default via fe80::24f5:a2ff:fe25:21eb dev enp4s0 proto ra metric 1024 expires 1691sec hoplimit 64 pref medium
default via fe80::24f5:a2ff:fe25:21eb dev enp5s0 proto ra metric 1024 expires 1529sec hoplimit 64 pref medium
问题:
ping -I enp5s0 ipv6.google.com
PING ipv6.google.com(mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e)) from 2001:470:x:x:x:x enp5s0: 56 data bytes
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=1 ttl=54 time=59.0 ms
^C
--- ipv6.google.com ping statistics ---
6 packets transmitted, 1 received, 83% packet loss, time 5096ms
rtt min/avg/max/mdev = 59.092/59.092/59.092/0.000 ms
对我来说,目前最无意义的解决方法是:
sudo traceroute -i enp5s0 ipv6.google.com -n
traceroute to ipv6.google.com (2a00:1450:4006:801::200e), 30 hops max, 80 byte packets
1 2001:470:x:x:x:1 0.335 ms 0.293 ms 0.271 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * 2a00:1450:4006:801::200e 43.135 ms # ipv6.google.com
跟踪路由后执行 Ping 操作:
ping -I enp5s0 ipv6.google.com
PING ipv6.google.com(mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e)) from 2001:470:x:x:x:c2c enp5s0: 56 data bytes
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=1 ttl=54 time=43.0 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=2 ttl=54 time=43.0 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=3 ttl=54 time=43.0 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=4 ttl=54 time=42.9 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=5 ttl=54 time=43.0 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=6 ttl=54 time=42.8 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=7 ttl=54 time=42.8 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=8 ttl=54 time=43.5 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=9 ttl=54 time=42.8 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=10 ttl=54 time=43.1 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=11 ttl=54 time=43.6 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=12 ttl=54 time=42.8 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=13 ttl=54 time=42.9 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=14 ttl=54 time=43.0 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=15 ttl=54 time=42.8 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=16 ttl=54 time=43.4 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=17 ttl=54 time=42.8 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=18 ttl=54 time=42.8 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=19 ttl=54 time=42.9 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=20 ttl=54 time=42.9 ms
64 bytes from mrs08s01-in-x0e.1e100.net (2a00:1450:4006:801::200e): icmp_seq=21 ttl=54 time=43.5 ms
^C
--- ipv6.google.com ping statistics ---
21 packets transmitted, 21 received, 0% packet loss, time 20033ms
rtt min/avg/max/mdev = 42.812/43.065/43.602/0.254 ms
答案1
经过很长一段时间,终于找到了一个解决方案:我用自己的路由器完全替代了提供商路由器。
没有提供商路由器,飓风隧道也能很好地运行。
因此,我推测该问题是由提供商路由器过滤协议 41 引起的,正如 Hurricane 支持所述。